fix: cloud connection should bypass custom JWT flow

2024-12-16 20:26:19 -05:00 · 2024-03-18 18:35:32 +08:00 · 2024-03-18 18:35:32 +08:00 · 18fb88ecdd
commit 18fb88ecdd
parent 084ced1bd6
2 changed files with 10 additions and 24 deletions
--- a/packages/core/src/libraries/cloud-connection.ts
+++ b/packages/core/src/libraries/cloud-connection.ts
@ -34,20 +34,11 @@ const accessTokenExpirationMargin = 60;

 /** The library for connecting to Logto Cloud service. */
 export class CloudConnectionLibrary {
-  private _isAuthenticated = false;
  private client?: Client<typeof router>;
  private accessTokenCache?: { expiresAt: number; accessToken: string };

  constructor(private readonly logtoConfigs: LogtoConfigLibrary) {}

-  get isAuthenticated() {
-    return this._isAuthenticated;
-  }
-
-  private set isAuthenticated(value: boolean) {
-    this._isAuthenticated = value;
-  }
-
  public getCloudConnectionData = async (): Promise<CloudConnection> => {
    const { getCloudConnectionData: getCloudServiceM2mCredentials } = this.logtoConfigs;
    const credentials = await getCloudServiceM2mCredentials();
@ -76,8 +67,6 @@ export class CloudConnectionLibrary {
      if (expiresAt > Date.now() / 1000 + accessTokenExpirationMargin) {
        return accessToken;
      }
-      // Set the cloud connection to not authenticated if the access token is expired.
-      this.isAuthenticated = false;
    }

    const { tokenEndpoint, appId, appSecret, resource } = await this.getCloudConnectionData();
@ -105,8 +94,6 @@ export class CloudConnectionLibrary {
      expiresAt: Date.now() / 1000 + result.data.expires_in,
      accessToken: result.data.access_token,
    };
-    // Set the cloud connection to `authenticated` if the access token is valid.
-    this.isAuthenticated = true;

    return result.data.access_token;
  };
--- a/packages/core/src/oidc/init.ts
+++ b/packages/core/src/oidc/init.ts
@ -215,19 +215,18 @@ export default function initOidc(
        return;
      }

-      /**
-       * The execution on this function relies on the existence of authenticated cloud connection client.
-       *
-       * The process that cloud connection get access token also includes this function (`extraTokenClaims`
-       * is a function that will always be executed during the process of generating an access token), it
-       * could trigger infinite loop if we do not terminal the process early.
-       */
-      if (!cloudConnection.isAuthenticated) {
-        return;
-      }
-
      const isTokenClientCredentials = token instanceof ctx.oidc.provider.ClientCredentials;

+      /**
+       * Cloud connection should not go through this custom JWT logic.
+       */
+      if (isTokenClientCredentials) {
+        const { appId } = await cloudConnection.getCloudConnectionData();
+        if (token.clientId === appId) {
+          return;
+        }
+      }
+
      const {
        value: { script, envVars },
      } = (await trySafe(